For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stig_Dahl_82658's avatar
Stig_Dahl_82658
Icon for Nimbostratus rankNimbostratus
May 08, 2008

Finding out ssl::mode on serverside

I use a vip that has serverssl enabled. On one specific pool I should use "SSL::enable serverside" and on the others "SSL::disable serverside".

 

 

This works fairly well, but how do I find out which mode I'm actually using? The SSL::mode seems only displaying the clientside, ie I'm always getting true for SSL::mode whatever mode I'm actually using on the serverside.

 

 

I could always set my own variable, but I would like to know how the irule has decided.

 

 

Regards

 

Stig
application delivery
dev
devops
iRules

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 09, 2008
    What event are you using SSL::mode in? Can you post your full rule or the relevant portions?

     

     

    Aaron
  • Stig_Dahl_82658's avatar
    Stig_Dahl_82658
    Icon for Nimbostratus rankNimbostratus
    May 12, 2008
    Mainly I need it for debugging right now. But if there is a check for SSL-mode it would be nice to know what the TMM has selected.

    I use a line like this in the end of the rule: 

    if {$debug == 1 } {log local0. "URI=[HTTP::uri], using server [LB::server], SSL=[SSL::mode]"}

    So I can see what server and port (serverside), but not the protocol. I can see however SSL-traffic whith tcpdump where there shouldn't be. So I have some kind of bug in my irule. Need to find it.

    Stig
  • Stig_Dahl_82658's avatar
    Stig_Dahl_82658
    Icon for Nimbostratus rankNimbostratus
    May 12, 2008

    Posted By hoolio on 05/08/2008 11:43 PM

     

     

    What event are you using SSL::mode in? Can you post your full rule or the relevant portions?

     

     

    Aaron

     

     

     

    I'm using HTTP_REQUEST and HTTP_REQUEST_DATA, since I need to check POST-requests.

     

     

    It would be a good thing if I could use a generic log-line at the end of the rule that checked what pool-member was selected and protocol and so on. I can check for pool-member with LB::server but not if I'm using SSL or HTTP as protocol.

     

     

    And the sometimes I get the wrong protocol to the server, so to find out what ssl-mode on the serverside and not only the client-side would be nice.

     

     

    I'm not attaching any rule, since this is an generic question of the possibilitys reading variables and states.

     

     

    Stig
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 12, 2008
    You can check for a serverssl profile with the PROFILE::exists command. The serverssl profile isn't attached to the VIP until the server side context, sothe first event you can get a valid result in is HTTP_REQUEST_SEND.

    I have a faint recollection of one of the developers saying that the PROFILE:: command is expensive in terms of CPU. So if you don't need to use it in production, it might be better not to. Maybe someone can provide more correction/clarification on this. 

     
 when HTTP_REQUEST { 
  
    if {([PROFILE::exists serverssl] == 1) && ([PROFILE::serverssl mode] == 1)} { 
       log local0. "Server SSL enabled" 
    } else { 
       log local0. "Server SSL not enabled" 
    } 
 } 
 when HTTP_REQUEST_SEND { 
  
    if {([PROFILE::exists serverssl] == 1) && ([PROFILE::serverssl mode] == 1)} { 
       log local0. "Server SSL enabled" 
    } else { 
       log local0. "Server SSL not enabled" 
    } 
 }

    Output:

    : Server SSL not enabled

    : Server SSL enabled

    Aaron